MasterCard | Is your claw a shopaholic?
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a coherent payment skill, but it deserves careful review because it lets an agent spend money and run a runtime-delivered card-decryption flow.
Install only if you intentionally want an agent to have guarded payment abilities. Verify the CreditClaw publisher, keep approval-required mode on at first, protect the CREDITCLAW_API_KEY, and do not use the encrypted-card rail unless you are comfortable with a runtime-delivered decrypt script and ephemeral sub-agent handling real card details.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the delivered script or checkout steps are unsafe, the agent could execute unreviewed code while handling payment-card details.
The skill instructs the agent to run a runtime-delivered Node.js decryption script that is not included in the reviewed files, and that script handles real credit card data.
The sub-agent runs the deterministic decrypt script that was delivered with the card file: node decrypt.js <key_hex> <iv_hex> <tag_hex> Card-ChaseD-9547.md
Only use this flow if you trust the CreditClaw provider and can verify the delivered decrypt script, and ensure the agent environment prevents logging or reuse of decrypted card data.
Sensitive payment details may enter a sub-agent’s context, so the safety depends on the platform actually isolating and deleting that sub-agent without retaining logs.
The checkout workflow intentionally passes remote API-provided task instructions to a sub-agent that will handle decrypted card details.
Once approved, you spawn an ephemeral sub-agent using the `spawn_payload` from the response... The sub-agent executes the `checkout_steps` in sequence.
Confirm your OpenClaw environment supports ephemeral sub-agents, deletion, and restricted logging before using encrypted-card checkout.
Anyone who obtains the API key may be able to perform wallet or spending actions within the configured guardrails.
The required CREDITCLAW_API_KEY is expected for this payment service, but it grants financial authority and must be treated as a high-value secret.
All requests require: `Authorization: Bearer <your-api-key>`... Your API key is your identity. Leaking it means someone else can spend your owner's money.
Store the API key securely, restrict which agents can access it, and rotate it immediately if it is exposed.
The agent can initiate real purchase workflows and provide shipping details when the owner has enabled the rail.
The skill documents real-world purchase capability through an external merchant flow. This is aligned with the skill purpose, but it is financially consequential.
POST /card-wallet/bot/purchase... CreditClaw routes the order through Crossmint and places a real order with the merchant.
Keep default approval enabled unless you intentionally want auto-spend, and review merchant, amount, quantity, and shipping address before approving purchases.
If the spending policy file is changed unexpectedly, the agent may make different purchase decisions than the owner intended, subject to server-side limits.
The skill uses persistent spending instructions that influence future purchase behavior. That is expected for a guardrail file, but it should not be editable by untrusted parties.
This file controls how your bot spends money. Edit any section below. Your bot reads this file before every purchase to decide whether to proceed, ask for approval, or decline.
Keep spending-policy files in a protected location and verify them before enabling automatic approvals.
A user might assume this is affiliated with Mastercard even though the artifacts show a CreditClaw service instead.
The registry-facing name references Mastercard while the reviewed artifacts are for CreditClaw and the source is unknown, creating provenance and branding ambiguity for a financial skill.
Name: MasterCard | Is your claw a shopaholic? ... Source: unknown ... Homepage: https://creditclaw.com
Verify the publisher and service affiliation independently before granting payment credentials or card access.